Research from the M-Trends 2026 report points to a threat landscape where cyberattacks are becoming faster, more coordinated, and increasingly professionalized, with threat actors operating like structured organizations rather than isolated groups. Drawing on extensive incident response data, the report highlights how attackers can now transfer access between different actors in under 30 seconds, enabling rapid escalation from initial compromise to complex operations such as ransomware deployment or large-scale data theft. This level of coordination significantly compresses response windows for defenders and raises the risk of widespread operational disruption.
The 102-page report underscores how cybercrime continues to dominate as the most disruptive force, with attackers combining speed, specialization, and collaboration to maximize impact. These evolving tactics reflect a broader shift toward industrialized cyber operations, where initial access brokers, ransomware operators, and data exfiltration specialists work in tandem. As a result, organizations face increasingly complex, multi-stage attacks that are harder to detect and contain, reinforcing the need for faster detection, integrated defenses, and continuous incident response readiness.
M-Trends 2026 noted that one of the dynamics influencing the threat landscape is AI. “Recent GTIG reporting confirms that state-sponsored and financially motivated actors are integrating AI to accelerate the attack lifecycle. Attackers are increasingly relying on large language models (LLMs) as a strategic force multiplier to move beyond mass email campaigns toward hyper-personalized, rapport-building social engineering. In the wild, malware families like PROMPTFLUX and PROMPTSTEAL actively query LLMs mid-execution to evade detection, while ‘distillation attacks’ threaten intellectual property by extracting the proprietary logic and specialized training data of high-value machine learning models.”
The report also points to a threat landscape that is getting harder to detect and more costly to contain. Global median dwell time has climbed to 14 days, up from 11, largely driven by long-term espionage activity and DPRK-linked IT worker operations. The longer attackers remain undetected, the more complex and expensive remediation becomes. At the same time, financially motivated and espionage groups are leaning heavily on native system functionalities across on-premises and cloud environments, along with legitimate tools, to stay under the radar. This approach erodes the effectiveness of traditional endpoint security models that rely on malware signatures.
Ransomware tactics are also evolving. Operators are no longer focused primarily on data theft. Instead, they are deliberately targeting recovery itself by going after backup infrastructure, identity services, and virtualization management layers. By crippling an organization’s ability to restore operations, attackers significantly increase pressure to pay.
In terms of targeted industries, high tech was the most affected, representing 17% of investigations. Financial services followed at 14.6%, with business and professional services at 13.3%. Healthcare accounted for 11.9%, while retail and hospitality stood at 7.3%. Government cases made up 5.8%. Education and telecommunications each accounted for 4.6%. Construction and engineering, and entertainment and media recorded 4.1%, while transportation and logistics represented 3.4%, and aerospace and defense accounted for 2.7%. Energy and utilities each stood at 2.2%. Other industries made up 1.5%, while agricultural and forestry accounted for 0.5% and nonprofits for 0.2%.
The M-Trends 2026 data shows that exploits were the leading initial infection vector in 2025, accounting for 32%. Voice phishing followed at 11%, while prior compromise made up 10% and stolen credentials 9%. Web compromise contributed 8%, and both insider threat and email phishing each accounted for 6%. Third-party compromise represented 5%, while all other vectors combined made up 13%.
In 2025, threat clusters used an increasingly diverse array of social engineering tactics across email, voice, messaging platforms, and social media. To capture this nuance, GTIG has refined these categories to distinguish between interactive human engagement, such as voice phishing and non-interactive technical lures, such as email phishing. While email phishing often relies on volume and opportunistic delivery, interactive methods involve a live person steering the conversation in real-time. This distinction is critical for defenders: interactive attacks are significantly more resilient against automated technical controls and require different detection strategies. Globally, email phishing is no longer a top-observed initial intrusion vector.
The research also detailed that most frequently exploited vulnerabilities identified in 2025 Mandiant incident response investigations were zero-days affecting internet-facing web application servers. These vulnerabilities, either alone or chained with additional flaws, enabled unauthenticated code execution against enterprise platforms that provide centralized access to an organization’s financial data, business operations data, or internal documents. Threat clusters often see these types of targets as opportunities for reconnaissance and a beachhead from which they can expand further into a compromised network.
The data shows that financially motivated incidents fluctuated between 2020 and 2025. In 2020, 38% of incidents were financially driven, declining to 30% in 2021 and 26% in 2022. This trend reversed in 2023, rising to 36%, before easing slightly to 35% in 2024 and 30% in 2025. In 2025 specifically, 30% of incidents were associated with financial gain, while 70% showed no observed monetization. Within financially motivated activity, ransomware accounted for 13% of incidents and multifaceted extortion for 6%.
The M-Trends 2026 report showed that detection patterns in 2025 indicate that most incidents were identified internally, accounting for 52%. External entities were responsible for detecting 34% of cases, while adversaries themselves revealed 14% of incidents. The most frequently exploited vulnerabilities in 2025 were found in widely used enterprise platforms. These included SAP NetWeaver (CVE-2025-31324), Oracle E-Business Suite (CVE-2025-61882), and Microsoft SharePoint (CVE-2025-53770).
“In 2025, 52% of organizations detected evidence of malicious activity internally. External entities, such as law enforcement, CERTs, or cybersecurity companies, notified organizations of a potential compromise in 34% of cases,” according to the M-Trends 2026 report. “Adversaries informed organizations of a compromise, typically in the form of a ransom note, in 14% of cases. The proportion of internally detected compromises increased from 43% in 2024 to 52% in 2025, while external entity notifications declined from 43% to 34%.”
GTIG began tracking 714 new malware families in 2025, a significant increase from 632 in 2024, which brought the total number of tracked malware families to more than 6,000. A total of 224 malware families were observed in the investigations Mandiant performed in 2025, which includes 126 newly tracked families and an additional 98 malware families that were first discovered in prior years. For comparison, GTIG observed 205 malware families and 83 malware families were both newly tracked and observed in 2024 investigations.
As with prior years, the majority of newly tracked malware (72%) and malware families observed (63%) in 2025 investigations were effective on Windows. These percentages are consistent with 2024 findings. Malware families that are effective exclusively on Linux accounted for 12% of newly tracked families and 11% of observed malware families. The percentage of newly tracked malware families effective only on Linux remained stable compared to 2024, but the percentage of observed malware families effective only on Linux declined slightly from 17% in 2024. In addition to Windows and Linux, GTIG tracked malware families effective on MacOS, BSD, and Unix.
“Observed malware encompasses both legacy and newly tracked malware observed in engagements. This provides a comprehensive look at which malware categories remain the most persistent choices for attackers in real-world environments,” according to the M-Trends 2026 report. “The most frequently observed roles of malware families observed in Mandiant’s 2025 investigations included backdoors at 36%, followed by downloaders at 11%, ransomware at 10%, droppers at 10%, credential stealers at 9%, with 24% of observed malware families falling into other roles. Despite an increase in newly tracked ransomware families and variants, ransomware declined in its share of observed malware from 14% in 2024, while downloaders increased from 7%, and credential stealers increased from 5%.”
In 2025, the most common initial infection vector found during Mandiant investigations of cloud-related compromises was voice phishing, at 23%, followed by third-party compromise (17%), stolen credentials (16%), email phishing (15%), insider threat (14%), and exploits (6%). Mandiant identified evidence of data theft in 59% of cloud compromises. Just over a third of cases, 34%, supported financially motivated objectives, including employment fraud, data theft extortion, ransomware, payment redirection fraud, and theft.
Mandiant investigated a number of incidents in 2025 in which the threat cluster deployed the BRICKSTORM backdoor on appliances that do not support endpoint detection and response (EDR), including Linux- and BSD-based appliances from multiple manufacturers. Using valid credentials likely captured on the network device, UNC6201 then accessed VMware vCenter servers and ESXi hosts. With access to vCenter, the threat cluster cloned virtual machines (VMs), which included single sign-on (SSO) identity providers, secret vaults, and domain controllers. By accessing targeted data and credentials in the cloned but powered-off VMs, the threat cluster circumvented security alerting on those systems.
To defend against the activity in M-Trends 2026, organizations should prioritize the security of infrastructure such as backups, identity services, and the virtualization layer, which attackers are now systematically targeting to deny recovery. Hardening edge and core network devices remains critical, especially since exploits continue to be the most common entry point for adversaries. By addressing these specific visibility gaps and focusing on the tactics that actually bring attackers success, defenders will strengthen their cyber resilience.
The report called upon defenders to close the speed gap with attackers if they want real operational resilience. M-Trends 2026 makes it clear that this is less about adding tools and more about rethinking how teams respond, prioritize, and see their environments. Low-impact alerts can no longer be treated as routine noise. With attackers moving from initial access to hands-on activity in seconds, even basic malware alerts should be handled as early warning signals of a deeper intrusion and acted on immediately.
Critical control planes, especially virtualization and management platforms, need to be locked down as Tier-0 assets. Backup environments should be isolated from the corporate Active Directory domain and built on immutable storage so attackers cannot wipe out recovery options. Identity has become the primary battleground. Traditional MFA is increasingly bypassed through social engineering, so organizations need continuous identity verification, strict least privilege, and tighter control over SaaS integrations by routing them through a central identity provider.
Additionally, detection strategies also need to evolve. Static indicators of compromise are losing value as attackers rotate infrastructure and use in-memory techniques. Behavioral detection that flags deviations from normal activity, such as unusual API usage or unauthorized access to edge systems, is now essential. Finally, visibility remains a weak point. Many organizations still operate with limited log retention, which leaves gaps that attackers can exploit over long dwell times. Extending log retention well beyond 90 days and centralizing telemetry from network devices, applications, and hypervisors is critical to uncovering sustained, low-noise intrusions.
